Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/solution skvs #766

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
111 changes: 111 additions & 0 deletions ecc_go/chaincode/enclave_go/skvs_stub.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
/*
Copyright IBM Corp. All Rights Reserved.

SPDX-License-Identifier: Apache-2.0
*/

package enclave_go

import (
"crypto/sha256"
"fmt"

"github.com/hyperledger/fabric-chaincode-go/shim"
"github.com/hyperledger/fabric-private-chaincode/internal/protos"
"github.com/hyperledger/fabric/protoutil"
"github.com/pkg/errors"
"google.golang.org/protobuf/proto"
)

type skvsStub struct {
*EnclaveStub
}

func NewSkvsStub(cc shim.Chaincode) *skvsStub {
enclaveStub := NewEnclaveStub(cc)
return &skvsStub{enclaveStub}
}

func (e *skvsStub) ChaincodeInvoke(stub shim.ChaincodeStubInterface, chaincodeRequestMessageBytes []byte) ([]byte, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have the feeling that we should remove this wrapper and instead just inject a provider function for the stub that we can set externally.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no sure about this one, might need to ask more insight

logger.Warning("==== SKVS ChaincodeInvoke ====")

signedProposal, err := stub.GetSignedProposal()
if err != nil {
return nil, fmt.Errorf("cannot get signed proposal: %s", err.Error())
}

if err := e.verifySignedProposal(stub, chaincodeRequestMessageBytes); err != nil {
return nil, errors.Wrap(err, "signed proposal verification failed")
}

// unmarshal chaincodeRequest
chaincodeRequestMessage := &protos.ChaincodeRequestMessage{}
err = proto.Unmarshal(chaincodeRequestMessageBytes, chaincodeRequestMessage)
if err != nil {
return nil, err
}

// get key transport message including the encryption keys for request and response
keyTransportMessage, err := e.extractKeyTransportMessage(chaincodeRequestMessage)
if err != nil {
return nil, errors.Wrap(err, "cannot extract keyTransportMessage")
}

// decrypt request
cleartextChaincodeRequest, err := e.extractCleartextChaincodeRequest(chaincodeRequestMessage, keyTransportMessage)
if err != nil {
return nil, errors.Wrap(err, "cannot decrypt chaincode request")
}

// create a new instance of a FPC RWSet that we pass to the stub and later return with the response
rwset := NewReadWriteSet()

// Invoke chaincode
// we wrap the stub with our FpcStubInterface
// ** Implement our own FpcStubInterface
skvsStub := NewSkvsStubInterface(stub, cleartextChaincodeRequest.GetInput(), rwset, e.ccKeys)
ccResponse := e.ccRef.Invoke(skvsStub)
// **
// fpcStub := NewFpcStubInterface(stub, cleartextChaincodeRequest.GetInput(), rwset, e.ccKeys)
// ccResponse := e.ccRef.Invoke(fpcStub)

// marshal chaincode response
ccResponseBytes, err := protoutil.Marshal(&ccResponse)
if err != nil {
return nil, err
}

//encrypt response
encryptedResponse, err := e.csp.EncryptMessage(keyTransportMessage.GetResponseEncryptionKey(), ccResponseBytes)
if err != nil {
return nil, err
}

chaincodeRequestMessageHash := sha256.Sum256(chaincodeRequestMessageBytes)

response := &protos.ChaincodeResponseMessage{
EncryptedResponse: encryptedResponse,
FpcRwSet: rwset.ToFPCKVSet(),
EnclaveId: e.identity.GetEnclaveId(),
Proposal: signedProposal,
ChaincodeRequestMessageHash: chaincodeRequestMessageHash[:],
}

responseBytes, err := proto.Marshal(response)
if err != nil {
return nil, err
}

// create signature
sig, err := e.identity.Sign(responseBytes)
if err != nil {
return nil, err
}

signedResponse := &protos.SignedChaincodeResponseMessage{
ChaincodeResponseMessage: responseBytes,
Signature: sig,
}

return proto.Marshal(signedResponse)
}
115 changes: 115 additions & 0 deletions ecc_go/chaincode/enclave_go/skvs_stub_Interface.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
/*
Copyright IBM Corp. All Rights Reserved.

SPDX-License-Identifier: Apache-2.0
*/

package enclave_go

import (
"encoding/json"

"github.com/hyperledger/fabric-chaincode-go/shim"
pb "github.com/hyperledger/fabric-protos-go/peer"
"github.com/pkg/errors"
)

type SkvsStubInterface struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the name of this file should be all small caps

*FpcStubInterface
allDataOld map[string][]byte
allDataNew map[string][]byte
key string
}

func NewSkvsStubInterface(stub shim.ChaincodeStubInterface, input *pb.ChaincodeInput, rwset *readWriteSet, sep StateEncryptionFunctions) *SkvsStubInterface {
logger.Warning("==== Get New Skvs Interface =====")
fpcStub := NewFpcStubInterface(stub, input, rwset, sep)
skvsStub := SkvsStubInterface{fpcStub, map[string][]byte{}, map[string][]byte{}, "SKVS"}
err := skvsStub.InitSKVS()
if err != nil {
logger.Warningf("Error!! Initializing SKVS failed")
}
return &skvsStub
}

func (s *SkvsStubInterface) InitSKVS() error {
logger.Warningf(" === Initializing SKVS === ")

// get current state, this will only operate once
encValue, err := s.GetPublicState(s.key)
if err != nil {
return nil
}

if len(encValue) == 0 {
logger.Warningf("SKVS is empty, Initiating.")
} else {
value, err := s.sep.DecryptState(encValue)
if err != nil {
return err
}
logger.Warningf("SKVS has default value, loading current value.")

err = json.Unmarshal(value, &s.allDataOld)
if err != nil {
logger.Errorf("SKVS Json unmarshal error: %s", err)
return err
}
err = json.Unmarshal(value, &s.allDataNew)
if err != nil {
logger.Errorf("SKVS Json unmarshal error: %s", err)
return err
}
}

logger.Warningf("SKVS Init finish, allDataOld: %s, allDataNew: %s", s.allDataOld, s.allDataNew)
return nil
}

func (s *SkvsStubInterface) GetState(key string) ([]byte, error) {
logger.Warningf("Calling Get State (Start), key: %s, alldataOld: %s", key, s.allDataOld)
value, found := s.allDataOld[key]
if !found {
return nil, errors.New("skvs allDataOld key not found")
}
logger.Warningf("Calling Get State (End), key: %s, value: %x", key, value)
return value, nil
}

func (s *SkvsStubInterface) PutState(key string, value []byte) error {
logger.Warningf("Calling Put State (Start), key: %s, value: %x, alldata: %s", key, value, s.allDataNew)

s.allDataNew[key] = value
byteAllData, err := json.Marshal(s.allDataNew)
if err != nil {
return err
}
encValue, err := s.sep.EncryptState(byteAllData)
if err != nil {
return err
}
logger.Warningf("Calling Put State (End), put encValue: %x", encValue)

return s.PutPublicState(s.key, encValue)
}

func (s *SkvsStubInterface) DelState(key string) error {
delete(s.allDataNew, key)
byteAllData, err := json.Marshal(s.allDataNew)
if err != nil {
return err
}
encValue, err := s.sep.EncryptState(byteAllData)
if err != nil {
return err
}
return s.PutPublicState(s.key, encValue)
}

func (s *SkvsStubInterface) GetStateByRange(startKey string, endKey string) (shim.StateQueryIteratorInterface, error) {
panic("not implemented") // TODO: Implement
}

func (s *SkvsStubInterface) GetStateByRangeWithPagination(startKey string, endKey string, pageSize int32, bookmark string) (shim.StateQueryIteratorInterface, *pb.QueryResponseMetadata, error) {
panic("not implemented") // TODO: Implement
}
29 changes: 29 additions & 0 deletions ecc_go/chaincode/singleKVS.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
/*
Copyright IBM Corp. All Rights Reserved.

SPDX-License-Identifier: Apache-2.0
*/

package chaincode

import (
"github.com/hyperledger/fabric-chaincode-go/shim"
"github.com/hyperledger/fabric-private-chaincode/ecc/chaincode"
"github.com/hyperledger/fabric-private-chaincode/ecc/chaincode/ercc"
"github.com/hyperledger/fabric-private-chaincode/ecc_go/chaincode/enclave_go"
"github.com/hyperledger/fabric-private-chaincode/internal/endorsement"
"github.com/hyperledger/fabric/common/flogging"
)

var logger = flogging.MustGetLogger("enclave_go")

func NewSkvsChaincode(cc shim.Chaincode) *chaincode.EnclaveChaincode {
logger.Info("Creating new SKVS Chaincode")
ecc := &chaincode.EnclaveChaincode{
Enclave: enclave_go.NewSkvsStub(cc),
Validator: endorsement.NewValidator(),
Extractor: &chaincode.ExtractorImpl{},
Ercc: &ercc.StubImpl{},
}
return ecc
}
Comment on lines +20 to +29
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am wondering if it would be better to add an option to the NewPrivateChaincode method to instantiate the with SKVS rather than creating this new constructor.

It could look like ...

func NewPrivateChaincode(cc shim.Chaincode, options ...func(*chaincode.EnclaveChaincode)) *chaincode.EnclaveChaincode {
  ecc := &chaincode.EnclaveChaincode{
		Enclave:   enclave_go.NewSkvsStub(cc),
		Validator: endorsement.NewValidator(),
		Extractor: &chaincode.ExtractorImpl{},
		Ercc:      &ercc.StubImpl{},
	}
  for _, o := range options {
    o(ecc)
  }
  return ecc
}

func WithSKVS() func(*chaincode.EnclaveChaincode) {
  return func(ecc *chaincode.EnclaveChaincode) {
    ecc.Enclave = enclave_go.NewSkvsStub(cc)
  }
}

and in the chaincode main.go, the developer would write something like that ...

// naive
chaincode := fpc.NewPrivateChaincode(secretChaincode)
// with SKVS
chaincode := fpc.NewPrivateChaincode(secretChaincode, fpc.WithSKVS)

See this article https://golang.cafe/blog/golang-functional-options-pattern.html

WDYT?

5 changes: 3 additions & 2 deletions samples/chaincode/secret-keeper-go/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,14 @@ func main() {

// create chaincode
secretChaincode, _ := contractapi.NewChaincode(&chaincode.SecretKeeper{})
chaincode := fpc.NewPrivateChaincode(secretChaincode)
// chaincode := fpc.NewPrivateChaincode(secretChaincode)
skvsChaincode := fpc.NewSkvsChaincode(secretChaincode)

// start chaincode as a service
server := &shim.ChaincodeServer{
CCID: ccid,
Address: addr,
CC: chaincode,
CC: skvsChaincode,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was wondering if we want multiple main files? So we have an example to run secret keeper with and without skvs?

/samples/chaincode/secret-keeper-go/cmd/simple/main.go
/samples/chaincode/secret-keeper-go/cmd/skvs/main.go

A few words in the secret-keeper readme would be nice as well.

TLSProps: shim.TLSProperties{
Disabled: true, // just for testing good enough
},
Expand Down